Challenge Board
Log in to reveal challenge IPs.
Limited: online now
Ends in calculating...
A forgotten nameserver sits exposed on the network, its zone transfer restrictions never configured. What secrets does its DNS database hold — and can you leverage them to walk right through the front door?
Limited: online now
Ends in calculating...
The web server proudly serves its directory tree to anyone who asks. Hidden among the exposed files lies a credential that opens more than just a web page. Look closer — the index never lies.
Limited: online now
Ends in calculating...
An enterprise directory left open to anonymous queries. Someone forgot to lock the front gate — walk the tree, extract what was never meant to be public, and forge your path all the way to root.
Limited: online now
Ends in calculating...
The database administrator forgot the most important rule: always set a root password. Tap into the exposed data store, recover what was left in plaintext, and pivot your way to full control.
Limited: online now
Ends in calculating...
A Redis instance stands wide open — no authentication, no firewall, just raw access to an in-memory data store. The question isn't whether you can read it. The question is: can you turn a cache into a root shell?
Limited: online now
Ends in calculating...
An rsync daemon quietly exposes its modules to the world, no credentials required. Dig through the synchronized data, recover what was meant to stay private, and ride the drift all the way to root.
Limited: online now
Ends in calculating...
Two file-sharing services, two attack surfaces. Pivot between SMB and FTP to piece together the credentials that bridge your path to root. Neither service alone holds the answer — the key is in the crossing.
Limited: online now
Ends in calculating...
The mail server helpfully confirms which users exist — and the sysadmin made sure some of them have terrible passwords. Enumerate the recipients, guess the passphrase, and deliver yourself a shell.
Limited: online now
Ends in calculating...
A network management agent leaks far more than just metrics. Walk the MIB tree, read what the community string reveals, and follow the trail of exposed data straight to a root prompt.
Cleartext credentials over a legacy protocol — some habits never die. Authenticate through the old gateway, find what the sysadmin left behind, and walk the classic escalation path to root.
A TFTP server meant for network booting inadvertently serves up configuration files to anyone who asks the right filename. One leaked config is all you need — find the foothold, then find the path out.
The corporate domain controller sits exposed on the network — Samba-backed SMB shares, weak service accounts, and an IT backup share the admins forgot about. Enumerate, pivot, and drain the domain. Part of the CorpNet AD lab.
A domain-joined workstation running a vulnerable employee intranet portal. The login form trusts user input a little too much — once inside, the dashboard leaks more than it should. Part of the CorpNet AD lab.
An internal employee portal shipped to production without a security review. Three unpatched vulnerabilities sit in the same PHP codebase — SQL injection, command injection, and an unrestricted file upload. Chain them to own the box.
A 32-bit SUID binary runs on this machine with every modern mitigation stripped away — no canary, no NX, no PIE, no ASLR. One vulnerable call to gets() is all that stands between you and a root shell. Develop the exploit.